Analysis
-
max time kernel
145s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
30/12/2024, 02:41
Behavioral task
behavioral1
Sample
JaffaCakes118_610dc47db4ca9cc504499989b9b2a88e97f8f903c9f3556c75c17e46d9daea63.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
JaffaCakes118_610dc47db4ca9cc504499989b9b2a88e97f8f903c9f3556c75c17e46d9daea63.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_610dc47db4ca9cc504499989b9b2a88e97f8f903c9f3556c75c17e46d9daea63.exe
-
Size
1.3MB
-
MD5
fe0dfa3dbd245726c680f9ec5b209a56
-
SHA1
2e27d696e504e35e57d72b4daaa404ece2cc2ced
-
SHA256
610dc47db4ca9cc504499989b9b2a88e97f8f903c9f3556c75c17e46d9daea63
-
SHA512
e62de4d83bc3be3e970bfc5895802677d6c9a2c414ce42e63fabc042601ec8bd8451a64ac3e17ea3764b2c35c13bfbec671cd62b4cff321e740120fbb7ef10f7
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 45 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2952 2556 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2920 2556 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2720 2556 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2812 2556 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2692 2556 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2760 2556 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2348 2556 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2340 2556 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2008 2556 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1608 2556 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2084 2556 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1948 2556 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1776 2556 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1744 2556 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2108 2556 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1784 2556 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1900 2556 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1996 2556 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1632 2556 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2768 2556 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1236 2556 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1844 2556 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2940 2556 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2932 2556 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2312 2556 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 112 2556 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2240 2556 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1224 2556 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2452 2556 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 716 2556 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2184 2556 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2196 2556 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 328 2556 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 984 2556 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1452 2556 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1300 2556 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 796 2556 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 840 2556 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1700 2556 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1656 2556 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2780 2556 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 780 2556 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2784 2556 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 916 2556 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1680 2556 schtasks.exe 34 -
resource yara_rule behavioral1/files/0x0008000000018bdd-9.dat dcrat behavioral1/memory/2588-13-0x0000000001160000-0x0000000001270000-memory.dmp dcrat behavioral1/memory/2868-54-0x0000000000AE0000-0x0000000000BF0000-memory.dmp dcrat behavioral1/memory/1580-188-0x0000000000E20000-0x0000000000F30000-memory.dmp dcrat behavioral1/memory/2728-248-0x0000000001250000-0x0000000001360000-memory.dmp dcrat behavioral1/memory/2792-308-0x00000000002E0000-0x00000000003F0000-memory.dmp dcrat behavioral1/memory/1916-368-0x0000000000B70000-0x0000000000C80000-memory.dmp dcrat behavioral1/memory/2372-487-0x0000000000160000-0x0000000000270000-memory.dmp dcrat behavioral1/memory/2512-547-0x00000000011A0000-0x00000000012B0000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2076 powershell.exe 2272 powershell.exe 1956 powershell.exe 2584 powershell.exe 1220 powershell.exe 3064 powershell.exe 2428 powershell.exe 1524 powershell.exe 1444 powershell.exe 2484 powershell.exe 2132 powershell.exe 2664 powershell.exe 1752 powershell.exe 2080 powershell.exe 2140 powershell.exe 768 powershell.exe -
Executes dropped EXE 10 IoCs
pid Process 2588 DllCommonsvc.exe 2868 cmd.exe 1580 cmd.exe 2728 cmd.exe 2792 cmd.exe 1916 cmd.exe 1936 cmd.exe 2372 cmd.exe 2512 cmd.exe 892 cmd.exe -
Loads dropped DLL 2 IoCs
pid Process 2560 cmd.exe 2560 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs
flow ioc 37 raw.githubusercontent.com 4 raw.githubusercontent.com 5 raw.githubusercontent.com 20 raw.githubusercontent.com 34 raw.githubusercontent.com 30 raw.githubusercontent.com 12 raw.githubusercontent.com 16 raw.githubusercontent.com 23 raw.githubusercontent.com 27 raw.githubusercontent.com -
Drops file in Program Files directory 8 IoCs
description ioc Process File created C:\Program Files\Microsoft Office\Office14\1033\101b941d020240 DllCommonsvc.exe File created C:\Program Files (x86)\Windows Portable Devices\audiodg.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Portable Devices\42af1c969fbb7b DllCommonsvc.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\audiodg.exe DllCommonsvc.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\42af1c969fbb7b DllCommonsvc.exe File created C:\Program Files (x86)\Windows Mail\fr-FR\explorer.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Mail\fr-FR\7a0fd90576e088 DllCommonsvc.exe File created C:\Program Files\Microsoft Office\Office14\1033\lsm.exe DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_610dc47db4ca9cc504499989b9b2a88e97f8f903c9f3556c75c17e46d9daea63.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1608 schtasks.exe 1948 schtasks.exe 1744 schtasks.exe 2240 schtasks.exe 1224 schtasks.exe 840 schtasks.exe 1700 schtasks.exe 2720 schtasks.exe 1900 schtasks.exe 1632 schtasks.exe 2932 schtasks.exe 2692 schtasks.exe 1236 schtasks.exe 2312 schtasks.exe 112 schtasks.exe 2184 schtasks.exe 2196 schtasks.exe 984 schtasks.exe 2784 schtasks.exe 1680 schtasks.exe 2812 schtasks.exe 2760 schtasks.exe 2780 schtasks.exe 780 schtasks.exe 2952 schtasks.exe 1996 schtasks.exe 716 schtasks.exe 1452 schtasks.exe 796 schtasks.exe 2084 schtasks.exe 1776 schtasks.exe 328 schtasks.exe 1300 schtasks.exe 1656 schtasks.exe 2348 schtasks.exe 2108 schtasks.exe 1784 schtasks.exe 2768 schtasks.exe 1844 schtasks.exe 916 schtasks.exe 2920 schtasks.exe 2340 schtasks.exe 2008 schtasks.exe 2940 schtasks.exe 2452 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 28 IoCs
pid Process 2588 DllCommonsvc.exe 2588 DllCommonsvc.exe 2588 DllCommonsvc.exe 2428 powershell.exe 2076 powershell.exe 1220 powershell.exe 2868 cmd.exe 2080 powershell.exe 2140 powershell.exe 2664 powershell.exe 2132 powershell.exe 2272 powershell.exe 2584 powershell.exe 3064 powershell.exe 1752 powershell.exe 768 powershell.exe 1444 powershell.exe 2484 powershell.exe 1524 powershell.exe 1956 powershell.exe 1580 cmd.exe 2728 cmd.exe 2792 cmd.exe 1916 cmd.exe 1936 cmd.exe 2372 cmd.exe 2512 cmd.exe 892 cmd.exe -
Suspicious use of AdjustPrivilegeToken 26 IoCs
description pid Process Token: SeDebugPrivilege 2588 DllCommonsvc.exe Token: SeDebugPrivilege 2868 cmd.exe Token: SeDebugPrivilege 2428 powershell.exe Token: SeDebugPrivilege 2076 powershell.exe Token: SeDebugPrivilege 1220 powershell.exe Token: SeDebugPrivilege 2080 powershell.exe Token: SeDebugPrivilege 2140 powershell.exe Token: SeDebugPrivilege 2664 powershell.exe Token: SeDebugPrivilege 2132 powershell.exe Token: SeDebugPrivilege 2272 powershell.exe Token: SeDebugPrivilege 2584 powershell.exe Token: SeDebugPrivilege 3064 powershell.exe Token: SeDebugPrivilege 1752 powershell.exe Token: SeDebugPrivilege 768 powershell.exe Token: SeDebugPrivilege 1444 powershell.exe Token: SeDebugPrivilege 2484 powershell.exe Token: SeDebugPrivilege 1524 powershell.exe Token: SeDebugPrivilege 1956 powershell.exe Token: SeDebugPrivilege 1580 cmd.exe Token: SeDebugPrivilege 2728 cmd.exe Token: SeDebugPrivilege 2792 cmd.exe Token: SeDebugPrivilege 1916 cmd.exe Token: SeDebugPrivilege 1936 cmd.exe Token: SeDebugPrivilege 2372 cmd.exe Token: SeDebugPrivilege 2512 cmd.exe Token: SeDebugPrivilege 892 cmd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1712 wrote to memory of 2352 1712 JaffaCakes118_610dc47db4ca9cc504499989b9b2a88e97f8f903c9f3556c75c17e46d9daea63.exe 30 PID 1712 wrote to memory of 2352 1712 JaffaCakes118_610dc47db4ca9cc504499989b9b2a88e97f8f903c9f3556c75c17e46d9daea63.exe 30 PID 1712 wrote to memory of 2352 1712 JaffaCakes118_610dc47db4ca9cc504499989b9b2a88e97f8f903c9f3556c75c17e46d9daea63.exe 30 PID 1712 wrote to memory of 2352 1712 JaffaCakes118_610dc47db4ca9cc504499989b9b2a88e97f8f903c9f3556c75c17e46d9daea63.exe 30 PID 2352 wrote to memory of 2560 2352 WScript.exe 31 PID 2352 wrote to memory of 2560 2352 WScript.exe 31 PID 2352 wrote to memory of 2560 2352 WScript.exe 31 PID 2352 wrote to memory of 2560 2352 WScript.exe 31 PID 2560 wrote to memory of 2588 2560 cmd.exe 33 PID 2560 wrote to memory of 2588 2560 cmd.exe 33 PID 2560 wrote to memory of 2588 2560 cmd.exe 33 PID 2560 wrote to memory of 2588 2560 cmd.exe 33 PID 2588 wrote to memory of 2664 2588 DllCommonsvc.exe 80 PID 2588 wrote to memory of 2664 2588 DllCommonsvc.exe 80 PID 2588 wrote to memory of 2664 2588 DllCommonsvc.exe 80 PID 2588 wrote to memory of 1444 2588 DllCommonsvc.exe 81 PID 2588 wrote to memory of 1444 2588 DllCommonsvc.exe 81 PID 2588 wrote to memory of 1444 2588 DllCommonsvc.exe 81 PID 2588 wrote to memory of 1220 2588 DllCommonsvc.exe 82 PID 2588 wrote to memory of 1220 2588 DllCommonsvc.exe 82 PID 2588 wrote to memory of 1220 2588 DllCommonsvc.exe 82 PID 2588 wrote to memory of 1752 2588 DllCommonsvc.exe 83 PID 2588 wrote to memory of 1752 2588 DllCommonsvc.exe 83 PID 2588 wrote to memory of 1752 2588 DllCommonsvc.exe 83 PID 2588 wrote to memory of 2076 2588 DllCommonsvc.exe 84 PID 2588 wrote to memory of 2076 2588 DllCommonsvc.exe 84 PID 2588 wrote to memory of 2076 2588 DllCommonsvc.exe 84 PID 2588 wrote to memory of 2584 2588 DllCommonsvc.exe 85 PID 2588 wrote to memory of 2584 2588 DllCommonsvc.exe 85 PID 2588 wrote to memory of 2584 2588 DllCommonsvc.exe 85 PID 2588 wrote to memory of 768 2588 DllCommonsvc.exe 86 PID 2588 wrote to memory of 768 2588 DllCommonsvc.exe 86 PID 2588 wrote to memory of 768 2588 DllCommonsvc.exe 86 PID 2588 wrote to memory of 2484 2588 DllCommonsvc.exe 87 PID 2588 wrote to memory of 2484 2588 DllCommonsvc.exe 87 PID 2588 wrote to memory of 2484 2588 DllCommonsvc.exe 87 PID 2588 wrote to memory of 2132 2588 DllCommonsvc.exe 88 PID 2588 wrote to memory of 2132 2588 DllCommonsvc.exe 88 PID 2588 wrote to memory of 2132 2588 DllCommonsvc.exe 88 PID 2588 wrote to memory of 1524 2588 DllCommonsvc.exe 89 PID 2588 wrote to memory of 1524 2588 DllCommonsvc.exe 89 PID 2588 wrote to memory of 1524 2588 DllCommonsvc.exe 89 PID 2588 wrote to memory of 1956 2588 DllCommonsvc.exe 91 PID 2588 wrote to memory of 1956 2588 DllCommonsvc.exe 91 PID 2588 wrote to memory of 1956 2588 DllCommonsvc.exe 91 PID 2588 wrote to memory of 2272 2588 DllCommonsvc.exe 92 PID 2588 wrote to memory of 2272 2588 DllCommonsvc.exe 92 PID 2588 wrote to memory of 2272 2588 DllCommonsvc.exe 92 PID 2588 wrote to memory of 2140 2588 DllCommonsvc.exe 94 PID 2588 wrote to memory of 2140 2588 DllCommonsvc.exe 94 PID 2588 wrote to memory of 2140 2588 DllCommonsvc.exe 94 PID 2588 wrote to memory of 2080 2588 DllCommonsvc.exe 95 PID 2588 wrote to memory of 2080 2588 DllCommonsvc.exe 95 PID 2588 wrote to memory of 2080 2588 DllCommonsvc.exe 95 PID 2588 wrote to memory of 2428 2588 DllCommonsvc.exe 97 PID 2588 wrote to memory of 2428 2588 DllCommonsvc.exe 97 PID 2588 wrote to memory of 2428 2588 DllCommonsvc.exe 97 PID 2588 wrote to memory of 3064 2588 DllCommonsvc.exe 98 PID 2588 wrote to memory of 3064 2588 DllCommonsvc.exe 98 PID 2588 wrote to memory of 3064 2588 DllCommonsvc.exe 98 PID 2588 wrote to memory of 2868 2588 DllCommonsvc.exe 112 PID 2588 wrote to memory of 2868 2588 DllCommonsvc.exe 112 PID 2588 wrote to memory of 2868 2588 DllCommonsvc.exe 112 PID 2868 wrote to memory of 296 2868 cmd.exe 114 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_610dc47db4ca9cc504499989b9b2a88e97f8f903c9f3556c75c17e46d9daea63.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_610dc47db4ca9cc504499989b9b2a88e97f8f903c9f3556c75c17e46d9daea63.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2664
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\lsm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1444
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1220
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\Office14\1033\lsm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1752
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Microsoft\Windows NT\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2076
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2584
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:768
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\audiodg.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2484
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\smss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2132
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\audiodg.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1524
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\smss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1956
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Favorites\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2272
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2140
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2080
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\fr-FR\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2428
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\Idle.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3064
-
-
C:\Users\All Users\Microsoft\Windows NT\cmd.exe"C:\Users\All Users\Microsoft\Windows NT\cmd.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tlraSVrJxn.bat"6⤵PID:296
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:2780
-
-
C:\Users\All Users\Microsoft\Windows NT\cmd.exe"C:\Users\All Users\Microsoft\Windows NT\cmd.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1580 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\InhrPXXuGB.bat"8⤵PID:2312
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:2252
-
-
C:\Users\All Users\Microsoft\Windows NT\cmd.exe"C:\Users\All Users\Microsoft\Windows NT\cmd.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2728 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZAtO29mfgG.bat"10⤵PID:2224
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:2084
-
-
C:\Users\All Users\Microsoft\Windows NT\cmd.exe"C:\Users\All Users\Microsoft\Windows NT\cmd.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2792 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DFgOOKl5EO.bat"12⤵PID:896
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:1000
-
-
C:\Users\All Users\Microsoft\Windows NT\cmd.exe"C:\Users\All Users\Microsoft\Windows NT\cmd.exe"13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1916 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sQQ1IAg9p0.bat"14⤵PID:1580
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:2252
-
-
C:\Users\All Users\Microsoft\Windows NT\cmd.exe"C:\Users\All Users\Microsoft\Windows NT\cmd.exe"15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1936 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LBVLNHYHv1.bat"16⤵PID:2348
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:3004
-
-
C:\Users\All Users\Microsoft\Windows NT\cmd.exe"C:\Users\All Users\Microsoft\Windows NT\cmd.exe"17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2372 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JhFjyqSsxH.bat"18⤵PID:980
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:2124
-
-
C:\Users\All Users\Microsoft\Windows NT\cmd.exe"C:\Users\All Users\Microsoft\Windows NT\cmd.exe"19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2512 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BHs9KC1JDp.bat"20⤵PID:1628
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:808
-
-
C:\Users\All Users\Microsoft\Windows NT\cmd.exe"C:\Users\All Users\Microsoft\Windows NT\cmd.exe"21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:892 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BDCDGXc9ch.bat"22⤵PID:2248
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:2912
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2692
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office\Office14\1033\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2348
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2340
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Office\Office14\1033\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2008
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Microsoft\Windows NT\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1608
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\Windows NT\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2084
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Microsoft\Windows NT\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1948
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1776
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1744
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2108
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\providercommon\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1784
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1900
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1996
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Portable Devices\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1632
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2768
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Portable Devices\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1236
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1844
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2312
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:112
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2240
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1224
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2452
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:716
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Favorites\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2196
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Default\Favorites\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Favorites\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:328
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1452
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1300
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:796
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:840
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1700
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Mail\fr-FR\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\fr-FR\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Mail\fr-FR\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:780
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2784
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:916
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1680
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51174271b47dbe714cf98baa8220050a4
SHA1ebd7896cf292c916a983e979b7603fa79df37d96
SHA2569e2d91934c266e974a29d5bb242399edbe386f5a12a990590fbbf07fc1063e52
SHA512ad64b13d662b9b43a80ca09afcb7a10df13768b268c6e21813333452596ac535242ec300921e0a7e2d290d94e1e946c69b45795a98ad218576355cce89ea6674
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5470d74c522505623b952f8c0a801db02
SHA18891fec35377209c4be92dc706e3ee43fe699960
SHA25607624574bc0153a24fa719b98fe77f2c2e1999796dd27f86622c714066cb3e2e
SHA512912e0745ff7dc11481d0c0af855f2b28ac50242d66a42415b7a3bfd5fb664208717ed0de371efb7338e455bc389218bb47660bd69a4dcc0e1bd748a5a5677b2e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f8c98bf263c32bb6e023e2a25e01d04e
SHA160f48c8f025ae0ebe1629487741ec6ccc149b75a
SHA256874a6fce7aec6fc2d2651abf00d731b4828d8013b617fd09df1daf80006e9ea4
SHA51243b58609bb48fae57000eedd4f7f9a425d649794956bc99259e1460cddb64a0b7522e5830490af09b6158b25f8750b8464cb5aa3a334251cdf254e1925beb0f6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c993a1f880f1f76ed45bb5f91912328f
SHA1a28db19b0001bbe7f3d748ab09c0a6083f8417a6
SHA2561a09daff01f48c6da5ec939e4048416782bed40239484e54dbef483e8f65c73b
SHA5126844ea381b505903b8513f06aa6bc63cd47c1fde6dafcb20e50cb99bd3fc33884990e735384c34796bf403c8d624491af9c8a43e3dc07c75c3e3acc6aef3b2ae
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5091d27eb06b668ffdf6f7a02f10dad39
SHA1953ff02330adde58cddba06eafef172c277696d7
SHA25619e8f93683a99c0dacca05467c591b89d34c95714246e02d4919b9feb2f64810
SHA512cb8329dc3eaac31091120b8d6801ba346ef975c0a2463910b8214f4570eeca81c563eae9246a73a401a7d5fad1e18784da4734e12d8ee80fec7048cf2f6c25c0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD57a12769151d2ba62c2f38a07e8d5fb58
SHA1284bc3acee0b8cf81439108cd06fc770cc653c8d
SHA256cdb4e076e7d23b0b43154c000af7533eab41827311e6b617f0ce356abbd48ff3
SHA5123ade19abdf69ceba79d1a7d2c84c58be956aef9b67e8f102523812e344e4e94d3288e7fd9ce23317cfc4551b79ed5bd1c9d2f276eadd49496095714220931038
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD578b2e40a75120c0c33c3c23c7f501ccf
SHA1f0514fd33b9d34a4074f89ad5136517a36133d64
SHA2563743cf281b60c7fd514d6ae44cb1e93b9fb373d3bef4a88da51fb4f2dcdf4a0b
SHA512f84e590e0f3610feb82973e1e20a61ecc404a9699a2be5f29d6be97c3f45f3e752b49ca8358021ec16435c150e725c78bc4eec77b943ba58bb5739b50deed254
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD502caf01fd367a8baba936a8f6a6c164e
SHA188340e6dc461202c42bb09d5e38f485bd85e248f
SHA256618d5571f184492a453803949849791cde6f1eeb5de616591d6f58f61421ddde
SHA512ff88cdd9e1168f698890392d6a8284976c834bb01d61c0fdf5ed1b4c2572387e3723632285fd6c9984198f75d9334c0d4974fca219f5c312ea98d5f781109f07
-
Filesize
212B
MD529b4bd2dfc874a64a5f655af39895333
SHA133a750e4035e8d4c5a4ffff7698dec142f5f9851
SHA256f5407cb7e811b70394ff8b716b51bc8577aa024053d88c2e23ff8480747bca34
SHA51254746bd2e7c37bd36af51384874f391f39791428bf368230f7a4cd3819e2751c3e35e27397aa7fdf471186d9105529f4bc7d7cf8e7e9463ffa8f18f6480c086c
-
Filesize
212B
MD5108fb3a0b478e2454b612b2492ae2af3
SHA1d682825a0b9ed61458cb508bba0ac5f027cce772
SHA256447cadfe7304d1cf283dddba34f898d20d0ede64563c2e79e433aebbb877aaf8
SHA51295ad46ec2a52b3a19bb50f0cbe0bf8b88c5ee12f3b9469b69888fc6af6bcc17411d7ceda55624b30b2965f0505e738ed100b95c1e0f6dd637a2912ab06a11914
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
212B
MD571d3dfa6c0b490b2bff4adbb49eb970b
SHA1a3a2797b6213328176b4df5f8f447a676f464ad0
SHA2560ae0be2a2f3de3ac8653ee2de2fb802d015ed71cc81d195f838e2e24fe1940bb
SHA512bbfee15053c45a8da264163704c511957c180b09c5ccf8057f6f0bd94a92b55f4db352b76d82bc88330837b09b21b5893a10a613a4a80797f0a33afcdcd2380d
-
Filesize
212B
MD50bea5037b6af4a3bc8477682aa0b1999
SHA1d8d9ccaa42add79ca595deea4781e21360b4fc5a
SHA2568c31b9a117e33df5a6c9f0f2936d7624eea220c7be3aa7248f2500c0f0f16a29
SHA512a025f28fca9e5b8ab7e6281cd0a399f8f337a9e79bd892e64ef2885b49afc856c71610a3019b37a44b2c1b3b1962b86ce2bf6b386ebfa490b52c9708e3e896f8
-
Filesize
212B
MD55d81e71e9d93a1109d9ee6d80aa4626f
SHA114e3e3b103d1e7ef03ea1b6bf08b04a6c821853f
SHA25647768a6849491b094f9b51167ab5ed1a4ff5a7036aa8fe65821ff8c5e24a18d0
SHA5121d345a1151671f7c8ba6e66547aa047940a058032d4e797bff76cf4f1f35527b45cd3953dbcc07a7966b7e43a4a53590d1a381acb505863abbb97305df4b8741
-
Filesize
212B
MD5500268203091e89ab6f19a77f880798d
SHA11c989245a5e1cc2c09c581fb5c91f5eb4baf7a7f
SHA256394c32160a61d1653c4a8c24f8bdefe992e0b79603fa43d06e57976f1852d61f
SHA512a56726caf71c0e27267a7f6d2e0d533fe8b92c9195040b0860cccb46f8d822b13d9052bd81fe6a859d4a2bdff273625e55ef7a8680597ca77637af9a4152e85e
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
212B
MD51b4ff560e247db872c3c7a2121638474
SHA1a850e8bf5621b33662f595f83ff71b2c293b5365
SHA256fd6f5a4ca1fd07bfc8c1bf371172f4bd5d714413e56f8991eae836c69b5a8393
SHA512bf0a8378d1c493c843c0869c8fc8b591605e28d3f181793c391cddcd294e9f3ed092f0c711b2ce479f229ab933b0933a61b3fda02495952c313c0eaac53acc5b
-
Filesize
212B
MD50b8e492234989d68be1c0b7d5ae92eb6
SHA1f4b2e691daa5282fc904749e9e318ef1a2464d5a
SHA256f7865c4273c89d5dd154cc9f57b8c3225c6fa8595eb608feba64400d37d561ae
SHA512351d5833e519f09997872424d1b5f52b9e0378ca4a35e0f65c2e9b10c919078333a3bf024a288eb99b65d7c252aba552d4f266d9336b3591d4fef4ba73bb815e
-
Filesize
212B
MD5de782c27f72f9185150932ace30d8d37
SHA128e90c992a0a815ed292193decd76e7fb5e3ed0f
SHA25602fb336579c8f91a1bbd8ba7826f2be1b224cf51b91134d538a037beee4c53ec
SHA5120c436f6440623cd8d7b519b7f45df0478654c82bbb63ff075c8a0b6116960ce7c815f5664a3216c17c0b25e815f67e8f9131a189fac8b9b4072ff03265f594ab
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5822a6ee8f798ed7ab7c4f4eb43de3005
SHA1fde11260399565fe35a504cc4c44a715b9bcaca3
SHA2564b16f643aa1499f0e43e1092b14c3ba6c2db19581e8db4844e1d5a3a18d2a460
SHA512a257da9ed6f84aa68c19c4d21ef79df9ddb8512923f11f0f8efb769c4c72532d82e1fb63d7dabda74ec891a3433c7517504c59863b5d9e904d2f4fb7ad8943a5
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394